Assignment 1

Due date: October 6, 9.00 pm (Updated!). You are encouraged to work with a partner.

Submission Format:

Follow the submission checklist to create a1.zip or a1.rar. Please adhere the folder/file structure specified in the checklist! Submit using UTM submission system.

Note: All exploits are to take place under the RH7.2 Virtual Machine (you can find this in /virtual/virtual_machines/RH72LabImage_2013.zip on the lab systems). Although you have been given the source code, you should assume that your exploit involves us running our unmodified, compiled copy of the code under the rh7.2 assignment image with your inputs. If you can't find the VM, look on cs40 in /virtual and copy it to your machine. See the first tutorial if you do not know how to copy source code into the VM.

[15 Marks] Answer questions (1), (2), (3) in v3.c, makeShellCode.pl Solve (4) to get 10 bonus points!
[10 Marks, (5 for overrun, 5 for explain and fix)] Determine inputs to donothing2.c which cause it to launch a shell. Submit any scripts which generate inputs (like makeShellcode.pl) as well as a readme explaining how to use them. Explain what the flaw in the code is and then submit a fixed version which does not suffer from this flaw but performs the same operations on the data.
[25 Marks] Your assignment VM has code installed in /vulnerable. Your can find this question in account.c. You do not have to write buffer overrun code for this part of the assignment, just identify any that you see and explain the potential impact. You do have to identify and demonstrate other issues in the code. Finally fix the code. All code is also in vulnerable.tar.gz.
[10 Marks, (2 points for explanation and stack picture, 8 points for exploit)] The systems administrator is in the middle of installing an authentication scheme on his server, see granted.c. Since the actual authentication protocol is incomplete, and there is no input read from the user into the password string, so he thought it would be safe to allow the code to run on his server. Unfortunately, the code has a vulnerability. Note that by default, auth_flag=0 and hence the user is "not authenticated". Modify only makeShellcode.pl to produce badInput4 such that upon running "granted badInput4" function granted() is executed. Explain the vulnerability, your exploit along with the picture of the stack.
[10 Marks, (5 for each article)] Read the security articles I posted in the "In the news" section. Choose two of them or any other recent security article from the news (one for each group member), then briefly outline the article and analyze the issue with respect to both CIA (Confidentiality, Integrity, Availability) and Assessment, Protection, Detection, Response. For each article discuss how the issue impacts C, I and A. Finally discuss whether any of Assessment, Protection, Detection or Response failed, and how they should or will be modified. An outline of your report is below.

Q and A Section:

"Can you please clarify Q3?" For part 1, explain the vulnerability and the problem with code. For part 2, show how to exploit this vulnerability and what an attacker can gain from it.
"For question 4, if I compile the code and then I run the code: "./granted or ./granted test or ./granted second test." I get a seg fault." Please run with an existing/non-empty file as a line argument.
"What do I need to do for question 1.c?" You might need to modify the shellcode a little bit. You should be able to directly modify it without having to generate it from scratch. Please see the lecture notes for how the registers should be setup and try to understand what must be changed to run a different command.
"How can I get the assignment files into the VM?" As the assignment states: "See the first tutorial if you do not know how to copy source code into the VM."
"For the first part, do we just run your perl script and create badInput1?" No, of course you need to modify the perl script.
"What should I do with "int len" for question 1?" You need to have a valid integer in that location from shellcode.